By default iptables permits all incoming and outgoing connections,
however it is possible that some rules may already exist on your system.
To see the current set of rules type:

/sbin/iptables -L

-v

You should see three Chains, all empty, if you don't you can back up
your rules by running

/sbin/iptables-save

> ~/rules.save

which will put the rules.save file into your home directory. Should
you want to reload your old configuration you can run

iptables-load

< ~/rules.save

So now that any old rules have been saved for later reference, you
can type:

iptables -F

to flush (delete everything in) the rules set. The most basic rule to
apply is the default policy. If no other rules match on the chain, the
default destination (policy) is used. For input we want this to be DROP,
but before setting that you want to be sure that you won't get cut off
from the internet by doing it (since this would block ALL traffic). To
make this policy viable you need for your kernel to be able to keep
track of active TCP connections as well as related udp packets.
Therefore, you must enable connection tracking in the kernel:

Linux Kernel
Configuration:
iptables configuration

Networking support --->

Networking options --->

[*] Network packet filtering framework (Netfilter) --->

Core Netfilter Configuration --->

<*> Netfilter connection tracking support

-*- Netfilter Xtables support (required for ip_tables)

<*> "state" match support

After configuring your kernel, you can now type:

iptables -A INPUT

-m state --state RELATED,ESTABLISHED -j ACCEPT

What this is telling iptables is that you want to add a rule to the
input (-A INPUT) that will accept (-j ACCEPT) packets as long as they
are related to previous packets. the -m state tells iptables to use the
module (or match extension) state, and the --state RELATED,ESTABLISHED
are arguments to the module state. Thus -m state --state isn't actually
redundant. --state is defining which states to match, namely (RELATED
and ESTABLISHED). Now you are ready to secure your system. Change the
default policy for input to DROP,

iptables -P INPUT

DROP

Now you should still be able to get on the internet and do all your
normal tasks, its just that no new connections can be made from the
outside in. Assuming you have no need for incoming connections you are
set, however if you want to do something more advanced, move on to the
next section.

The LOG chain returns, so if you put it at the beginning of the chain
then you will log ALL packets. If you put it at the end, and the policy
is to drop it will log all the dropped packets. If your default policy
is ACCEPT then you should probably create a chain called LOGDROP and
instead of just dropping packets you can drop/log them. To do this you
just run the following commands:

iptables -N

LOGDROP

creates a new chain named LOGDROP,

iptables -A

LOGDROP -j LOG

logs the packets that come to the chain

iptables -A

LOGDROP -j DROP

drops the packets. Now instead of using "-j DROP" you should use "-j
LOGDROP" when you want to do both, for instance if you were blocking
specific ports.

Once all this is done, any logged packets will be sent to
/var/log/messages, along with the rest of the dmesg output.

A very good guide to using your linux box as a router can be found
here:
http://www.gentoo.org/doc/en/home-router-howto.xml
Many of the iptables tips in this section will cross over and allow you
to better understand/modify what you do in that guide.